Last Week in Security (LWiS) - 2024-10-21
VNC-Like over SCCM (@netero_1010), Use LLMs to find CVEs (@ProtectAICorp), New process 💉 technique (@OutflankNL), 💰 Big acquisition (@Sophos), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-14 to 2024-10-21.
News
- Sophos to Acquire Secureworks to Accelerate Cybersecurity Services and Technology for Organizations Worldwide - "...The all-cash transaction is valued at approximately $859 million". Congrats to those that cashed out!
- Leeds Equity Partners Acquires OffSec - Offsec has been acquired by Leeds Equity Partners. News coming shortly after the OSCP+ vs OSCP announcement.
- Cisco Event Response: Reports of Security Incident - "...Based on our investigations, we are confident that there has been no breach of our systems. "
- Welcome to the EDR Telemetry Project - Just released! Certainly do not use this data as the sole source of truth for your EDR telemetry, but it's a good starting point for understanding what data is being collected by various EDR solutions.
- Firm hacked after accidentally hiring North Korean cyber criminal - North Koreans continue to get jobs as an initial access vector. Anyone else establish initial access from just applying to a job posting? #SorryHR
- Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals - The US has accused two brothers of being part of the hacker group Anonymous Sudan, which allegedly went on a wild cyber attack spree that hit hundreds of targets—and, for one of the two men, even put lives at risk.
- Microsoft said it lost weeks of security logs for its customers’ cloud products - Not only do you have to pay to play but you might also lose your logs in the process. Ouch!
- Internet Archive breached again through stolen access tokens - They can't catch a break right now. Second in a row. Leave the Internet Archive alone!
- Army Announces Effort to Help Small Business Meet Cybersecurity Requirements - "...The Army is setting aside about $26 million in both fiscal year 2025 and fiscal year 2026 for the pilot NCODE program"
- Japanese authorities trace Monero, arrest 18 in $670K laundering case - Unsure how this "tracing" took place. "The flow was traced" is what article linked (written in Japanese) says. This was the first time (as reported by Japanese authorities) that Monero was used to identify a suspect.
Techniques and Write-ups
- Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection - A process injection technique that avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction.
- The Black Team Ops honeypot - Your weekly humor/troll post. Title says it all.
- Spec-tac-ula Deserialization: Deploying Specula with .NET - Exploiting .NET deserialization to persist on a workstation. Some updates have been made to ysoserial.net as well.
- Becoming a Stratus Red Team Contributor - A step-by-step walkthrough of contributing to this project and how the project is structured.
- Elevate Your Threat Hunting with Elastic - A threat hunting package designed to aid defenders with proactive detection queries to identify actor-agnostic intrusions.
- I hate you COM - Pitfalls of COM object activation - Some documented lessons learned from someone performing some tool development using COM objects and the ICorPublish interface.
- Call and Register — Relay Attack on WinReg RPC Client - The write-up of CVE-2024-43532. The vulnerability abuses a fallback mechanism in the WinReg client implementation that uses obsolete transport protocols insecurely if the SMB transport is unavailable.
- Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability. - This blog post showcases how to exploit CVE-2024-37383 which is a Roundcube Webmail vulnerability. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page.
- How Threat Actors Conduct Election Interference Operations: An Overview - Elections in the US are around the corner which means these headlines are SEO goldmines. TLDR - Check your new sources!
- Hardening Entra ID - Food baseline read for anyone performing engagements (offense or defense) against Entra ID.
Tools and Exploits
- SCCMVNC - A tool to modify SCCM remote control settings on the client machine, enabling remote control without permission prompts or notifications. This can be done without requiring access to SCCM server.
- Secure_Stager - An x64 position-independent shellcode stager that verifies the stage it retrieves prior to execution.
- rigour - A rigorous IoT scanner based on Shodan.io
- vulnhuntr - Vulnhuntr leverages the power of LLMs to automatically create and analyze entire code call chains starting from remote user input and ending at server output for detection of complex, multi-step, security-bypassing vulnerabilities that go far beyond what traditional static code analysis tools are capable of performing.
- AuthzAI - An automated tool to test and analyze API endpoints for potential permission model violations using OpenAI structured outputs.
- rflasermic - From DEFCON32 - RF-modulated high fidelity laser microphone and keystroke sniffer
- LsassReflectDumping - This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process.
- CVE-2024-43532 - PoC of CVE-2024-43532 by Akamai Security Research
- DarkWidow - Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing.
- emulator - 🪅 Windows User Space Emulator. A high-performance Windows process emulator that operates at the syscall level, providing full control over process execution through comprehensive hooking capabilities.
- servicelens - ServiceLens is a Python tool for analyzing services linked to Microsoft 365 domains. It scans DNS records like SPF and DMARC to identify services, categorizing them into Email, Cloud, Security, and more.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ghostport - A high-performance port spoofing tool built in Rust. Confuse port scanners with dynamic service emulation across all ports. Features customizable signatures, efficient async handling, and easy traffic redirection.
- venator - A flexible threat detection platform that simplifies rule management and deployment using K8s CronJob and Helm, but can also run standalone or with other job schedulers like Nomad.
- openvmm - Home of OpenVMM and OpenHCL.
- zerox - A dead simple way of OCR-ing a document for AI ingestion. Documents are meant to be a visual representation after all. With weird layouts, tables, charts, etc.
- Query WinGet software installer data with PowerShell - Don't sleep on WinGet! It's a great way to install software on Windows.
- saml2aws - CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
- GoReSym - Go symbol recovery tool
- BitNet - Official inference framework for 1-bit LLMs
- Nuitka - Nuitka is a Python compiler written in Python. It's fully compatible with Python 2.6, 2.7, 3.4-3.12. You feed it your Python app, it does a lot of clever things, and spits out an executable or extension module.
- RustHound-CE - Active Directory data ingestor for BloodHound Community Edition written in Rust. 🦀
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.